path: root/1c/cbcd1b39e5da85ff4f85495da792efeeb152f9

Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 14A9E721
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 29 Jun 2016 06:58:24 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf0-f50.google.com (mail-lf0-f50.google.com
	[209.85.215.50])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4643D126
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 29 Jun 2016 06:58:23 +0000 (UTC)
Received: by mail-lf0-f50.google.com with SMTP id l188so26617055lfe.2
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 28 Jun 2016 23:58:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc; bh=4UE5MQnIxoEE9Chi0ktSXlE427RpQZE+6JGd6pc2UGc=;
	b=QuKw+ccJNWtMYy3QOLL4Jl4rZ1rj8d6Z//xbCuCMpGivVLMduuFwp1/rgSRdnQ36Z0
	zHSQ6KklfK6xsQWso/h9VPq0wCpS4tzRke5GXsKl++8QBpRpyJLJGgiI3fBX3A3pA3yX
	aQ9XulCWK5FuzTLc+hhA7XpeGfChtLUdO8tOcSt0acDEJh+d2ZX1MF/PbVtPUmMahnef
	ZM03cnYJNWGx9Ll9VXwuU2+qxmbTbGcB9ab9/YzZ1dFOVqnZfTX3vGscBi3CIhkAAj3/
	28kZCXgdXDxKH4VleJkpfI+cQRdoYI00bvR4LvjhHH2d1l/P3nhc97+NNzKLDAgrgMCO
	/sfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:cc;
	bh=4UE5MQnIxoEE9Chi0ktSXlE427RpQZE+6JGd6pc2UGc=;
	b=gTQ0CUKHEFOo/2DhjHdeC4aLIk5y90OB7BR48Xqy4QfXf5d0jXAGyrcOVI+Ht22vZs
	I9OOh0j0ihaphAlMpCs2EEPNoE9sbInOJIDweLWvn2bfuxT4XFM5GtzukCVeoX7l9n3a
	Ri6yZrMf1qhY7KohNUPLvBGXS5BZ6vJuk9vjQ3QRSGa/W/EqPMOCE7teC5EBpRkKwvX+
	Fo7+dADNDLBp2VfrKe6B5JoDASjSRcVYOPZ9P8Ss6eTIyjqVoHThKcrwEvW4XhuK4/k3
	iixYqanEwFtN21oqxYrdq3UvJB/s4aip7m9jRc03VDmdjCAsmvCUzdCD27laC8wmPBCA
	roGg==
X-Gm-Message-State: ALyK8tKnpJLEdz7SLRCvipNdE/zYuH7txyQRviXUNCuUXMTlK7Bj1Rc96mBF9CXrIjNkpFAW2KCl7VLHpiXt/Q==
MIME-Version: 1.0
X-Received: by 10.46.71.83 with SMTP id u80mr1736071lja.15.1467183501243; Tue,
	28 Jun 2016 23:58:21 -0700 (PDT)
Received: by 10.114.180.101 with HTTP; Tue, 28 Jun 2016 23:58:21 -0700 (PDT)
Received: by 10.114.180.101 with HTTP; Tue, 28 Jun 2016 23:58:21 -0700 (PDT)
In-Reply-To: <CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
References: <87h9cecad5.fsf@rustcorp.com.au>
	<577224E8.6070307@jonasschnelli.ch>
	<8760ssdd1u.fsf@rustcorp.com.au>
	<CAEM=y+XKQZVz6UieB-nDy_C9xTmXiBB3-atuuZkxzmPoSVPOJw@mail.gmail.com>
Date: Wed, 29 Jun 2016 08:58:21 +0200
Message-ID: <CAPg+sBj3QRGYUzJn96ZS4bf1ZEH9KTwF+OxPXE-O_YJA66grBg@mail.gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
To: Ethan Heilman <eth3rs@gmail.com>,
	Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a11402fa4697c6305366547fb
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] BIP 151 use of HMAC_SHA512
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 06:58:24 -0000

--001a11402fa4697c6305366547fb
Content-Type: text/plain; charset=UTF-8

On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> >It's also not clear to me why the HMAC, vs just
SHA256(key|cipher-type|mesg).  But that's probably just my crypto
ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.

This property does technically not apply here, as the output of the hash is
kept secret, and the possible messages are constants (which are presumably
chosen in such a way that one is never an extension of another).

However, this is a good example of why you can't generically use a hash
function in places where you want a MAC (aka "a hash with a shared
secret"). Furthermore, if you already have a hash function anyway, HMAC is
very easy construct on top of it.

-- 
Pieter

--001a11402fa4697c6305366547fb
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">On Jun 29, 2016 07:05, &quot;Ethan Heilman via bitcoin-dev&q=
uot; &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-d=
ev@lists.linuxfoundation.org</a>&gt; wrote:<br>
&gt;<br>
&gt; &gt;It&#39;s also not clear to me why the HMAC, vs just SHA256(key|cip=
her-type|mesg).=C2=A0 But that&#39;s probably just my crypto ignorance...<b=
r>
&gt;<br>
&gt; SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of<b=
r>
&gt; the length extension property of SHA256.</p>
<p dir=3D"ltr">This property does technically not apply here, as the output=
 of the hash is kept secret, and the possible messages are constants (which=
 are presumably chosen in such a way that one is never an extension of anot=
her).</p>
<p dir=3D"ltr">However, this is a good example of why you can&#39;t generic=
ally use a hash function in places where you want a MAC (aka &quot;a hash w=
ith a shared secret&quot;). Furthermore, if you already have a hash functio=
n anyway, HMAC is very easy construct on top of it.</p>
<p dir=3D"ltr">-- <br>
Pieter<br>
</p>

--001a11402fa4697c6305366547fb--